1. 33

  2. 5
    1. 5

      I’m being pedantic on purpose: this malware doesn’t meet the definition of “computer virus”.

      The malware used stolen credentials to steal more credentials.

      This story is not over!

      1. 1

        From the postmortem:

        npm has revoked all access tokens issued before 2018-07-12 12:30 UTC. As a result, all access tokens compromised by this attack should no longer be usable.

        …It’s still not over! Because those tokens might have already been used to publish more malware… It’s wack-a-mole.

        Wow, they don’t even mention that aspect. They did consider it, they must have. Afraid to talk about it?

      2. 2

        The resolution for this looks like it’s still ongoing (at least that thread is active), I’d ask that people here don’t put their oar in that thread until they’re able to get this sorted out.

        1. 1

          Reminds me of the need for features like what I proposed in this RFC to Yarn: https://github.com/yarnpkg/rfcs/pull/76 Will try to find time soon to take up work on that one again.

          Also: Here is the thread from the previous time this happened: https://lobste.rs/s/eyyiav/npm_package_is_stealing_env_variables_on

          1. 1

            Scary how often viruses like this are showing up in linux! I think this is the beginning of a new time.. and we’re going to have to change the way we do things to stay safe.

            1. 7

              These incidents (at least in the NPM context) are good endorsements for the goals of Ryan Dahl’s deno, which runs code sandboxed by default.

              1. 4

                sandboxing is good but i don’t want to run malicious code at all, even if it’s properly contained! We need better review too.

                1. 3

                  I’d go a little bit further than that. We need to extend the security architecture of our package managers. For example, architectures like TUF, notary/Docker Content Trust, or PEP-458 are great starting points.

                2. 5

                  This is more of an NPM virus, not a linux specific one.

                3. 1

                  more packages, more attack surface, scary world